Tuesday, July 8, 2008

iptables tutorial for beginners

Introduction---------------

Iptables is a Linux based packet filtering firewall. Iptables interfaces to the Linux netfilter module to perform filtering of network packets. This can be to deny/allow traffic filter or perform Network Address Translation (NAT). With careful configuration iptables can be a very cost effective, powerful and flexible firewall or gateway solution. Iptables is available from http://www.netfilter.org/ or via your Linux distribution.

In short, iptables is a packet filtering tool which allows system administrator to define incoming and outgoing packets to and from the system using certain rules. Iptables can be confusing it's pretty straightforward once you get the hang of it.

Rules, Chains, and Tables

Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built in tables filter, NAT, mangle. More tables can be added through iptables extensions.

Filter Table

The filter table is used to allow and block traffic, and contains three chains INPUT, OUTPUT, FORWARD. The input chain is used to filter packets destined for the local system. The output chain is used to filter packets created by the local system. The forward chain is used for packets passing through the system, mainly used for gateways/routers.

There are three real "chains" which iptables uses:

* INPUTWhich is used to grant or deny incoming connections to your machine.* OUTPUTWhich is used to grant or deny outgoing connections from your machine.* FORWARDWhich is used for forwarding packages across interfaces, only really needed (in general) when you're setting up a gateway machine.

NAT Table

The NAT table is used to setup the rules to rewrite packets allowing NAT to happen. This table also has 3 chains, PREROUTING, POSTROUTING, and OUTPUT. The prerouting chain is where packets come to prior to being parsed by the local routing table. The postrouting chain is where packets are sent after going through the local routing table.

Finally "-j ACTION" is used to specify what to do to packets which match your rule. Usually an action will be one of "-j DROP" to drop the package, "-j ACCEPT", to accept the packet or "-j LOG" to log it.

Commands

The first step is to know iptables commands.

Main commands

* -A --append : Add the rule a the end of the specified chain

Code:iptables -A INPUT ...

* -D --delete : Allow to delete a chain.There's 2 way to use it, you can specify the number of the chain to delete or specify the rule to delete

Code:iptables -D INPUT 1iptables -D INPUT --dport 80 -j DROP

* -R --replace : Allow to replace the specified chain

Code:iptables -R INPUT 1 -s 192.168.0.1 -j DROP

* -I --insert : Allow to add a chain in a specific area of the global chain

Code:iptables -I INPUT 1 --dport 80 -j ACCEPT

* -L --list : Display the rules

Code:iptables -L # Display all the rules of the FILTER chainsiptables -L INPUT # Display all the INPUT rules (FILTER)

* -F --flush : Delete all the rules of a chain

Code:iptables -F INPUT # Delete all the rules of the INPUT chainiptables -F # Delete all the rules

[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drrop the traffic.

Common Options and Switches-A -- adds a rule at the end of the chain

-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.

-p -- protocol of the rule--dport the destination port to check on the rule-i -- interface on which the packet was received.-j -- what to do if the rule matches-s -- source IP address of packet-d -- destination IP address of packet